The server is waiting for tcp/ip disconnect, which is
never coming because the firewall eats this, resulting in backends
waiting to death. Again: you'll have to request your sysadmin to fix the
firewall, at least on that pgsql port for internal use. Timeouts
simply don't make sense here. You won't have DOS attacks internally, I
hope (if you do, locate the aggressor, and eliminate him).
The architecture just doesn't fit here - it's two LANs connected over a
VLAN, so the firewall is between us and the open internet, even though
the PG-server is in it's own LAN. I can not fix the firewall, it's not
in my jurisdiction and I cannot take it there. Changing
firewall-settings is simply not an option for me. I see that there's no
way that you would consider implementing a keep-alive feature. That's
fine, I shall have to live with the issue. Sorry to have asked in the
first place.